| |
You can configure Novell iChain to leverage the authentication service provided by Novell Modular Authentication Service (NMAS) Enterprise Edition. You can set up your iChain users so they are required to authenticate to eDirectory using a token device. This adds a higher level of protection to your information by ensuring that only those who have the proper token code can have access to your information.
There are three steps you must perform to set up token authentication with iChain:
You must install NMAS into your eDirectory tree. NMAS is included on the iChain Authorization Server CD under the \NMASSERVER directory. Change to this directory and run SETUP.EXE.
As part of the NMAS installation, you can select and install the Novell RADIUS server components.
IMPORTANT: The NMAS installation screen lists NICI 1.5.7 or later on the NMAS server. You will need to install NICI 2.01 on the NMAS server. This version of NICI is included on the iChain Authorization Server CD under the \NICI directory.
If you run ConsoleOne from a different location than the NMAS server, you will want to install the NMAS ConsoleOne snap-ins to that location. To do this, change to the \NMASCONSOLEONE directory on the iChain Authorization Server CD and run SNAPININSTALL.EXE. This will allow you to install the NMAS ConsoleOne snap-ins to any location you choose.
IMPORTANT: Your NMAS server must reside in the same eDirectory tree as your iChain LDAP server that holds the Access Control List (ACL). This allows the ACL to recognize users who are authenticating using NMAS and to allow the users access to the information they need.
After NMAS is installed, you can select, install, and set up a third-party token login method. The token login methods are available for download at the iChain Web site . Documentation on how to install and use each token login method is provided by the partner who developed the login method.
For more information on installing NMAS, see the NMAS 2.0 Installation Quick Start at the Novell Documentation Web site .
For more information on installing and configuring Novell RADIUS, see the Novell RADIUS Administration Guide at the Novell Documentation Web site .
For general information on installing and setting up a login method, see the NMAS 2.0 Administration Guide at the Novell Documentation Web site .
For specific information on installing and using a login method, see the documentation provided by the login method partner.
After NMAS, Novell RADIUS, and the token login method have been installed, you must configure Novell RADIUS on your NMAS server.
Perform the following procedures in order:
Start ConsoleOne.
Right-click an Organizational Unit container object > click New > Object > RADIUS:Dial Access System.
Specify the object name.
Click OK.
Specify the password.
Click OK.
Start ConsoleOne.
From the Security Container, double-click the Login Policy object.
Click the Rules tab.
Click + to add a login rule.
On the User list tab, click + and select the user or container that you want the rule to apply to.
On the Sequences tab, click + > select the token method > select Mandatory.
Click OK > OK > OK.
Start ConsoleOne.
Double-click the DAS object.
On the Clients tab, click Add.
For Address, type the IP address of your iChain proxy server.
For Vendor Type, use the drop-down list > select Novell.
Type and confirm a secret for this client.
Click OK.
On the User Resolution tab, click the Use Lookup Contexts List to Resolve User Name radio button if the users are not in the same context as the DAS object.
Click Add.
Browse and highlight the container where the User objects reside.
In the Object Name field, type a name for the object.
Click OK > OK.
Start ConsoleOne.
Right-click an Organizational Unit container object and click New > Object > RADIUS:Profile.
Click OK.
Specify the object name.
Click OK.
Start ConsoleOne.
Double-click the DAP object.
On the Attributes tab, click Add.
Select the Novell eDirectory Name attribute.
Check the box next to Novell eDirectory attribute.
Select FDN (Fully Distinguished Name).
IMPORTANT: It is critical that you select FDN so that name resolution will work properly. Otherwise, the users who use this profile will get 403 Forbidden errors when they try to access web pages.
Click OK > OK.
Start ConsoleOne.
Double-click a User object.
Click the Login Methods tab and select the Token method you previously installed.
Follow the partner's instructions for enabling this method.
Start ConsoleOne.
Double-click a User object.
Click the Dial Access Services tab.
Select a Dial Access Control.
Browse and select the DAS object you want to assign to this user.
Click Add.
Browse and select the DAP object.
Click OK > OK.
From the NMAS server console, type RADIUS. This will start the RADIUS services.
In the iChain Proxy Server Administration tool, click Configure > Authentication > Insert.
Enter a name for the Radius profile.
Click RADIUS authentication > RADIUS Options.
Enter the RADIUS server's IP address.
Enter 1645 for the Novell NMAS RADIUS server's port number.
Enter the shared secret set up in Adding the iChain Proxy Server As a Client of the Dial Access System (DAS) Object.
Click OK > OK > Apply.
In the iChain Proxy Server Administration tool, click Configure > Web Server Accelerator.
Select the accelerator you want to add the RADIUS authentication profile to.
Click Modify > Enable Authentication > Authentication Options.
HighLight the Radius profile created in Adding a RADIUS Authentication Profile.
Click Add > OK > OK > Apply.
You are now ready to authenticate through RADIUS by using the token login method.
| |